and all i got was an "Internal server error" message, not an "invalid password" or anything similiar.. Makes me wonder, vaguly, if there is still something to this bug.. I doubt it, but might be worth looking into.
Server Name: lc3-lfd63.law5.hotmail.com Your Browser (User Agent) = Mozilla/4.0 (compatible; MSIE 4.01; Windows 95) Last Task (ScriptName) =/home/httpd0/cgi-bin/password.cgi RequestMethod = GET QueryString = login=ACCOUNTNAME&curmbox=active
I was running through various places, and i ran across this bit. Thought it is rather interesting..
I am quoting from http://www.w3.org/Security/Faq/wwwsf4.html
"HotMail The CGI scripts that run the popular HotMail e-mail system use a flawed security system that allows unauthorized individuals to break into user's e-mail accounts and read their mail. This problem is known to affect the version of HotMail that was in place as of December 1998. For further information, see these links: http://email.miningco.com/library/nus/bl120898-1 .htm http://www.geocities.com/ResearchTriangle/Lab/66 01/shailesh/hotmail.html "
Specifically the first link..
Quoting from that link..
"Hotmail Accounts Easily Accessed by Hackers Hotmail is still extremely vulnerable to hackers who try to gain access to other people's email accounts, Shailesh Govekar and Krishnan VenkataRaman, software engineers at Lisec Software, have found out.
It may be easier than you think for other people (malicious or not) to read your (Hot)mail. They do not even need your password. All it takes is a URL and the user whose email they want to read to be logged in.
Sneaking the right URL out of Hotmail's database is easy and can be done at any time with only the user name of the account-to-be-hacked.
On their Web site Govekar and VenkataRaman describe the necessary steps in detail. A URL looking like http://www.hotmail.com/cgi-bin/password.cgi?login= username&curmbox=active will reveal the URL that can be used to access the account belonging to username.
If, for example, we insert "exhibitio" as the username, the URL is http://www.hotmail.com/cgi-bin/password.cgi?login= exhibitio&curmbox=active. The source (or, in Netscape, the "page info") reveal the URL to access "exhibitio"'s mail if the user is currently logged in to Hotmail: it is the first string beginning with "http", in our sample case http://207.82.252.251/cgi-bin//start/exhibitio/209 .185.130.45_d436.
The problem is that Hotmail uses neither HTTP authentication nor cookies to ensure an account is accessed only from the computer that originally logged in to the account. "
Now, Lets take this evidence against Microsoft's Pr crap..
Heh here's an idea. stop spending 12 hours a day on the internet.
That just might solve a problem or two.
Don't Blaim the Object of your addiction for your own inability to solve your problems.
And finally. get some help. or you are gonna have more problems in the future. There _ARE_ 12 step programs out there. don't ask me where, search yahoo for "internet addiction 12 step" or something. mabey you'll get laid once in a while, after you get 'cured'
Ok. I Have an idea. If someone is downloading porn and keeping it to themselves, what is the problem? if someone else happens to see it, and find it offensive, then the problem starts. i think, if reported, then the person who has the porn (or other offensive content) should be warned, and if reported again, diciplinary action be performed. this would root out many privacy issues and make the overall situation better in the long run. It really pisses me off when someone finds something even slightly, then without trying to rectify the situation, immediatly cry out "LAWSUIT". This is ludicrus and plain stupid. If you are going to monitor the people's accounts, definately warn them. to do otherwise would be wrong IMHO, though it is still an invasion of privacy.
This does not give >them a right to tap your phone lines. they may tap your lines now, but thats only one step away from putting bugs in the house. Then what? You're only stupid if you don't discuss your secret agenda in a cornfied at midnight, under a cover so the spy satellites can't see you? hmm...
Slashdot Mirror
No it was those aliens temporarially knocking out communications in your area so they could abduct and implant people with bugs.
Either that or some "computer expert" finally found out where the "on" switch was..
Not sure. I personally found this slightly funny.
Moderation Advice: comment +2, moderator's Karma -2.
http://www.hotmail.com/cgi-bin/password.cgi?log
and all i got was an "Internal server error" message, not an "invalid password" or anything similiar.. Makes me wonder, vaguly, if there is still something to this bug.. I doubt it, but might be worth looking into.
Server Name: lc3-lfd63.law5.hotmail.com
Your Browser (User Agent) = Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)
Last Task (ScriptName) =
RequestMethod = GET
QueryString = login=ACCOUNTNAME&curmbox=active
EOF
I am quoting from
http://www.w3.org/Security/Faq/wwwsf4.html
"HotMail
The CGI scripts that run the popular HotMail e-mail system use a flawed security system that allows unauthorized individuals to break into user's e-mail accounts and read their mail. This problem is known to affect the version of HotMail that was in place as of December 1998. For further information, see these links:
http://email.miningco.com/library/nus/bl120898-
http://www.geocities.com/ResearchTriangle/Lab/6
Specifically the first link..
Quoting from that link..
"Hotmail Accounts Easily Accessed by Hackers
Hotmail is still extremely vulnerable to hackers who try to gain access to other people's email accounts, Shailesh Govekar and Krishnan VenkataRaman, software engineers at Lisec Software, have found out.
It may be easier than you think for other people (malicious or not) to read your (Hot)mail. They do not even need your password. All it takes is a URL and the user whose email they want to read to be logged in.
Sneaking the right URL out of Hotmail's database is easy and can be done at any time with only the user name of the account-to-be-hacked.
On their Web site Govekar and VenkataRaman describe the necessary steps in detail. A URL looking like http://www.hotmail.com/cgi-bin/password.cgi?login
If, for example, we insert "exhibitio" as the username, the URL is http://www.hotmail.com/cgi-bin/password.cgi?login
The problem is that Hotmail uses neither HTTP authentication nor cookies to ensure an account is accessed only from the computer that originally logged in to the account. "
Now, Lets take this evidence against Microsoft's Pr crap..
EOF
Heh here's an idea. stop spending 12 hours a day on the internet.
That just might solve a problem or two.
Don't Blaim the Object of your addiction for your own inability to solve your problems.
And finally. get some help. or you are gonna have more problems in the future. There _ARE_ 12 step programs out there. don't ask me where, search yahoo for "internet addiction 12 step" or something. mabey you'll get laid once in a while, after you get 'cured'
EOF
Ok. I Have an idea. If someone is downloading porn and keeping it to themselves, what is the problem? if someone else happens to see it, and find it offensive, then the problem starts. i think, if reported, then the person who has the porn (or other offensive content) should be warned, and if reported again, diciplinary action be performed. this would root out many privacy issues and make the overall situation better in the long run. It really pisses me off when someone finds something even slightly, then without trying to rectify the situation, immediatly cry out "LAWSUIT". This is ludicrus and plain stupid. If you are going to monitor the people's accounts, definately warn them. to do otherwise would be wrong IMHO, though it is still an invasion of privacy.
This does not give >them a right to tap your phone lines. they may tap your lines now, but thats only one step away from putting bugs in the house. Then what? You're only stupid if you don't discuss your secret agenda in a cornfied at midnight, under a cover so the spy satellites can't see you? hmm...